If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Secure Email Transport Authentication Protocol

When your executives want to send email, use SMTP. When they want to send highly classified corporate data, use SETAP.

SETAP (Secure Email Transport Authentication Protocol) is a network Email Server protocol that incorporates 2048-bit 4AES Encryption for secure data transmission; a virtually infallible method of client authentication without the use of certificates that may be intercepted and forged; and utilizes Random Data Ports over a 2048-bit 4AES Encrypted Channel using a Unique Session Key for each transaction.

CTD Technologies' patented SETAP Server appliance is built entirely around SETAP. Incorporating some of the industry's finest intrusion detection, monitoring and firewall technology, SETAP Server offers a new standard for pro-active security-hardened network Email delivery. In most network environments, standard Email serving methods are highly vulnerable to compromise and are extremely time-intensive to set-up and maintain even a low-level of protection. The SETAP protocol along with the SETAP Server provides for automatic registration, pro-active system protection against intrusion and little administration.

Knowledgeable hackers know every exploit for every security standard that you are trying to implement. With SETAP, we set out to redefine those standards and in the process came up with an extremely challenging protocol. I take pleasure in knowing that this protocol does not play by the rules at all, says Michael Vaughn, Chief Software Architect for CTD Technologies. Virginia Guiler, VP of Research and Development for CTD Technologies additionally comments, As processor speeds and bandwidth increase rapidly in our connected world, secure communication becomes a necessary resource that requires absolute authentication and accuracy. The SETAP protocol and SETAP Server were designed for precisely that purpose.

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

Ugly

Hmmm, talk about making money of the paranoid. I need to read more on this but there is such a thing as fool proof and foolish. Below is my reasoning behind this:

1) Proprietary Algorithm and Equipment (why slave yourself)
2) No backwards compatability (No go for wide spread use)
3) Filtering IP after one failed use (do you wanna be the admin to clear up that mistake?)

The nice things I like is the unique sessions and random data ports. My view on all this is that would probably be enough to secure your mail.....assuming that you have already put restrictions on the ability to monitor your media (switching while watching arp etc....) This is a setup designed for a private mail exchange that would be used exclusively for a large corporation that is VERY paranoid about e-mail. Good for banks maybe? Requires client side software to be installed and the dedicated mail server to be linked to each station. Secure as hell, but to restrictive.

This is an interesting protocol. What I do not agree with is it's dependancy on the client and server type setup. This would be beyond a perfect setup for a small business that needs absolute security across e-mail. But not a solution for an individual user. I am under the impression that you install the client software onto whatever hosts you may want. From there you actually are prompted to hardcode the IP address of the server that you wish to connect to sendmail. From there we are dealing with an intranet type setup where the protocol is proprietary so the only ones that can use it are the ones with the client software setup. This seems to be good for busness (selling licenses etc...) but really shitty for any hope of this protocol to ever be in the hands of ordinary users that wish to secure a mail connection (lets just say point to point). Regardless, like I said, niffty lil proddy but is there going to be any adaption towards a smaller scale?

That was a very good question, and I'll try to give you a good answer.

Corporate espionage and sabotage are rampant. For instance, the Biotech industry is at war with itself as competitors try and get intelligence on what patents the other companies are working on. The banking industry, though they will never admit it publicly, is loosing a large amount of money from intercepted and decoded transactions. SSL is a joke.

Another use of this would be field agents communicating with their home offices.

A packet sniffer can easily monitor all data that leaves or enters someone's NIC card. The FBI can install Carnivor at the ISP level and harvest data.

There are many solutions available today for the public at large: PGP, P3P, SSL, etc.

However, there are times where a company may have a need and desire for the strongest protection that technology can provide, and they should have it.

Sure, I admit that this is a hardcore protocol almost to the point of insanity; I set out to build it just to see if I could. And I had a lot of fun doing it also. However, getting the client/server synchronization working took a few years off of my life, it was a rewarding experience once it all flowed together.

I haven't had any sales yet because it hasn't been out yet a week, and most people do not even know that it exists. All I can do is hope that someone out there will find it to be a fun toy and order it.

Interesting. But I notice that yet again you have to have some client software for ultimate protection.

Many organizations try to capture the secure-mail market. In Norway, the postal services have implementations of protocols similar to this one. Of course that is because of the smaller amounts of buisiness snail-mail, and trying to stay ahead of the market.

As far as I know, you have to have some client software also in their solution, to be able to use a good enough encryption algorithm. The mail is not sent directly to the reciever, but is bufferd in the postal office's server, so they can guarantee that the mail comes from the sender and is delivered to the reciever. The system is quite exciting, but not very easy to use at this point, because of you have to have the client software, and also a special e-mail address provided by the postal services.

The idea is to create a system that will be approved by the goverment to use with govermental documents, such as tax papers etc. Together with this, an implementation of electronic signatures is also under development. The idea is that when able to send important documents with e-mail, they could also be signed electronically. Perfect for signing contracts etc.

But there has to be a third party involved, and also client software. We know that to this date there is no fool-proof solution without this overhead.

Very good point, and yes, client software is needed. The reason for this is that it is a proprietary system. It needs to be proprietary because of the mechanics that are involved. The client software must be able to assemble the authentication package on each run, as well as utilize my Rijndael implementation 2048-bit 4AES. There is nothing available commercially that can do this. Also, the client must accept a call from the server to validate the IP on a random Secure Channel. So at this point it has to be a closed system.